diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-06-24 16:02:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-24 16:02:47 +0200 |
| commit | 4cd052bddcecd0d24c72521564f9844f21ffc4ea (patch) | |
| tree | 41ad074006937d93a7a7c602fccc6b74e46a58b7 | |
| parent | 819b4a3556481ec516caca2731714ff69a57c2a5 (diff) | |
| parent | 4c7719efa27d9d2966b70b924c90aa2c90022388 (diff) | |
| download | vyos-1x-4cd052bddcecd0d24c72521564f9844f21ffc4ea.tar.gz vyos-1x-4cd052bddcecd0d24c72521564f9844f21ffc4ea.zip | |
Merge pull request #3701 from jestabro/configd-drop-env-sudo
configd: T6504: send sudo_user on session init and set env variable
| -rw-r--r-- | python/vyos/utils/auth.py | 4 | ||||
| -rw-r--r-- | smoketest/scripts/cli/base_vyostest_shim.py | 5 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_system_login.py | 10 | ||||
| -rwxr-xr-x | src/services/vyos-configd | 10 | ||||
| -rw-r--r-- | src/shim/vyshim.c | 11 |
5 files changed, 37 insertions, 3 deletions
diff --git a/python/vyos/utils/auth.py b/python/vyos/utils/auth.py index d014f756f..a0b3e1cae 100644 --- a/python/vyos/utils/auth.py +++ b/python/vyos/utils/auth.py @@ -42,6 +42,10 @@ def split_ssh_public_key(key_string, defaultname=""): def get_current_user() -> str: import os current_user = 'nobody' + # During CLI "owner" script execution we use SUDO_USER if 'SUDO_USER' in os.environ: current_user = os.environ['SUDO_USER'] + # During op-mode or config-mode interactive CLI we use USER + elif 'USER' in os.environ: + current_user = os.environ['USER'] return current_user diff --git a/smoketest/scripts/cli/base_vyostest_shim.py b/smoketest/scripts/cli/base_vyostest_shim.py index efaa74fe0..4bcc50453 100644 --- a/smoketest/scripts/cli/base_vyostest_shim.py +++ b/smoketest/scripts/cli/base_vyostest_shim.py @@ -74,6 +74,11 @@ class VyOSUnitTestSHIM: print('del ' + ' '.join(config)) self._session.delete(config) + def cli_discard(self): + if self.debug: + print('DISCARD') + self._session.discard() + def cli_commit(self): self._session.commit() # during a commit there is a process opening commit_lock, and run() returns 0 diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index 3f249660d..28abba012 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -24,6 +24,7 @@ from subprocess import Popen, PIPE from pwd import getpwall from vyos.configsession import ConfigSessionError +from vyos.utils.auth import get_current_user from vyos.utils.process import cmd from vyos.utils.file import read_file from vyos.template import inc_ip @@ -334,5 +335,14 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): self.assertIn(f'secret={tacacs_secret}', nss_tacacs_conf) self.assertIn(f'server={server}', nss_tacacs_conf) + def test_delete_current_user(self): + current_user = get_current_user() + + # We are not allowed to delete the current user + self.cli_delete(base_path + ['user', current_user]) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_discard() + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/services/vyos-configd b/src/services/vyos-configd index c89c486e5..d92b539c8 100755 --- a/src/services/vyos-configd +++ b/src/services/vyos-configd @@ -179,8 +179,13 @@ def initialization(socket): pid_string = socket.recv().decode("utf-8", "ignore") resp = "pid" socket.send(resp.encode()) + sudo_user_string = socket.recv().decode("utf-8", "ignore") + resp = "sudo_user" + socket.send(resp.encode()) logger.debug(f"config session pid is {pid_string}") + logger.debug(f"config session sudo_user is {sudo_user_string}") + try: session_out = os.readlink(f"/proc/{pid_string}/fd/1") session_mode = 'w' @@ -192,6 +197,8 @@ def initialization(socket): session_out = script_stdout_log session_mode = 'a' + os.environ['SUDO_USER'] = sudo_user_string + try: configsource = ConfigSourceString(running_config_text=active_string, session_config_text=session_string) @@ -266,9 +273,6 @@ if __name__ == '__main__': cfg_group = grp.getgrnam(CFG_GROUP) os.setgid(cfg_group.gr_gid) - os.environ['SUDO_USER'] = 'vyos' - os.environ['SUDO_GID'] = str(cfg_group.gr_gid) - def sig_handler(signum, frame): shutdown() diff --git a/src/shim/vyshim.c b/src/shim/vyshim.c index 41723e7a4..4d836127d 100644 --- a/src/shim/vyshim.c +++ b/src/shim/vyshim.c @@ -178,6 +178,13 @@ int initialization(void* Requester) strsep(&pid_val, "_"); debug_print("config session pid: %s\n", pid_val); + char *sudo_user = getenv("SUDO_USER"); + if (!sudo_user) { + char nobody[] = "nobody"; + sudo_user = nobody; + } + debug_print("sudo_user is %s\n", sudo_user); + debug_print("Sending init announcement\n"); char *init_announce = mkjson(MKJSON_OBJ, 1, MKJSON_STRING, "type", "init"); @@ -240,6 +247,10 @@ int initialization(void* Requester) zmq_recv(Requester, buffer, 16, 0); debug_print("Received pid receipt\n"); + debug_print("Sending config session sudo_user\n"); + zmq_send(Requester, sudo_user, strlen(sudo_user), 0); + zmq_recv(Requester, buffer, 16, 0); + debug_print("Received sudo_user receipt\n"); return 0; } |